So after a TOTP, and you send the challege, it can respond with "denied" (wrong totp) or "continue: password" to show you now need the password next.
There are certain ways that process could be improved such as letting you have multiple attemps at the password post TOTP, but that would need to wire in with the bruetforce tracking.
Once that's all done, we issue a JWT which contains a signed User Auth Token structure, often called UAT. The UAT is pretty minimal, generally it contains a uuid, the displayname/name /spn, and some internal metadata about session limits for the use of that UAT.
but you know ... we've like done everything on a silver platter here.
Anyway, I wanted ctap2 support on the kanidm cli for passkeys, so I am using it and there are some extra patches I had to add on top that we will merge "later" because again, mozilla dragging feet.
And no, crates stopped accepting git deps in crate trees.